I have gotten the task of setting up a network where there is an existing gateway for my "public ip" 10.200.3.2/28 already. I am to setup a gw/dhcp which uses the existing gateway the given ip address on one vlan interface (eth0.2) and uses NAT to get traffic out from 172.16.0.0/25 to the internet and back masquaraded.
I first tried setting up a simple NAT like this:
*nat
:POSTROUTING ACCEPT [0:0]
#Forward traffic through eth0.2
-A POSTROUTING -s 172.16.0.0/25 -o eth0.2 -j MASQUERADE
-A POSTROUTING -s 172.16.1.0/25 -o eth0.2 -j MASQUERADE
and then set up BIND9 on a second machine with only the internal ips (forward and backward), using no views or acl. This worked and I was able to resolve. I then proceeded to end up at the point I am now. I am not able to resolve with ping or nslookup, and when I try with for example "www.example.com" I get this:
user@ns:~$ nslookup www.example.com
;; communications error to 172.16.0.2#53: timed out
;; Got SERVFAIL reply from 172.16.0.2, trying next server
;; communications error to 10.250.0.5#53: timed out
;; communications error to 10.250.0.5#53: timed out
;; no servers could be reached
status shows this:
Nov 24 22:23:46 ns.bedrift3.d3-101.usn named[2232]: network unreachable resolving 'ntp.ubuntu.com/AAAA/IN': 10.250.0.5#53
Nov 24 22:28:55 ns.example.com named[2232]: listening on IPv4 interface eno1, 172.16.0.2#53
Nov 24 22:57:08 ns.example.com named[2232]: managed-keys-zone/public: Unable to fetch DNSKEY set '.': timed out
Nov 24 22:57:08 ns.example.com named[2232]: managed-keys-zone/private: Unable to fetch DNSKEY set '.': timed out
Nov 24 23:14:05 ns.example.com named[2232]: managed-keys-zone/private: Unable to fetch DNSKEY set '.': timed out
Nov 24 23:14:05 ns.example.com named[2232]: managed-keys-zone/public: Unable to fetch DNSKEY set '.': timed out
I am quite new in this field and feel as if I have tried to the best of my ability, so any feedback would be greatly appriciated.
Both machines are on ubuntu 22.04 LTS Server
Everything GW DHCP (172.16.0.1) Is able to resolve from gw (really slow for some reason)
user@gw:~$ ping google.com
PING google.com (172.217.21.174) 56(84) bytes of data.
64 bytes from fra07s64-in-f174.1e100.net (172.217.21.174): icmp_seq=1 ttl=52 time=10.5 ms
64 bytes from fra07s64-in-f174.1e100.net (172.217.21.174): icmp_seq=2 ttl=52 time=10.3 ms
64 bytes from arn11s03-in-f14.1e100.net (172.217.21.174): icmp_seq=3 ttl=52 time=10.3 ms
64 bytes from fra07s64-in-f174.1e100.net (172.217.21.174): icmp_seq=4 ttl=52 time=10.6 ms
user@gw:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether dc:a6:32:44:a2:19 brd ff:ff:ff:ff:ff:ff
inet 169.254.245.151/16 brd 169.254.255.255 scope link noprefixroute eth0
valid_lft forever preferred_lft forever
3: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
link/ether dc:a6:32:44:a2:1a brd ff:ff:ff:ff:ff:ff
4: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether dc:a6:32:44:a2:19 brd ff:ff:ff:ff:ff:ff
inet 10.200.3.2/28 brd 10.200.3.15 scope global noprefixroute eth0.2
valid_lft forever preferred_lft forever
5: eth0.30@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether dc:a6:32:44:a2:19 brd ff:ff:ff:ff:ff:ff
inet 172.16.0.1/25 brd 172.16.0.127 scope global noprefixroute eth0.30
valid_lft forever preferred_lft forever
user@gw:~$ ip r
default via 10.200.3.1 dev eth0.2 proto static metric 401
10.200.3.0/28 dev eth0.2 proto kernel scope link src 10.200.3.2 metric 401
169.254.0.0/16 dev eth0 proto kernel scope link src 169.254.245.151 metric 100
172.16.0.0/25 dev eth0.30 proto kernel scope link src 172.16.0.1 metric 400
224.0.0.0/4 dev eth0 proto static scope link metric 100
/etc/ufw/before.rules
# nat Table rules
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
#Forward traffic through eth0.2
-A POSTROUTING -s 172.16.0.0/25 -o eth0.2 -j MASQUERADE
-A POSTROUTING -s 172.16.1.0/25 -o eth0.2 -j MASQUERADE
#Port forwarding
-A PREROUTING -i eth0.30 -p tcp --dport 25 -j DNAT --to-destination 172.16.0.3
-A PREROUTING -i eth0.30 -p udp --dport 25 -j DNAT --to-destination 172.16.0.3
-A PREROUTING -i eth0.30 -p tcp --dport 53 -j DNAT --to-destination 172.16.0.2
-A PREROUTING -i eth0.30 -p udp --dport 53 -j DNAT --to-destination 172.16.0.2
-A PREROUTING -i eth0.30 -p tcp --dport 80 -j DNAT --to-destination 172.16.0.3
-A PREROUTING -i eth0.30 -p udp --dport 80 -j DNAT --to-destination 172.16.0.3
-A PREROUTING -i eth0.30 -p tcp --dport 110 -j DNAT --to-destination 172.16.0.3
-A PREROUTING -i eth0.30 -p udp --dport 110 -j DNAT --to-destination 172.16.0.3
-A PREROUTING -i eth0.30 -p tcp --dport 143 -j DNAT --to-destination 172.16.0.3
-A PREROUTING -i eth0.30 -p udp --dport 143 -j DNAT --to-destination 172.16.0.3
-A PREROUTING -i eth0.30 -p tcp --dport 443 -j DNAT --to-destination 172.16.0.3
-A PREROUTING -i eth0.30 -p udp --dport 443 -j DNAT --to-destination 172.16.0.3
-A PREROUTING -i eth0.30 -p tcp --dport 1433 -j DNAT --to-destination 172.16.0.3
-A PREROUTING -i eth0.30 -p udp --dport 1433 -j DNAT --to-destination 172.16.0.3
# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT
dhcpd.conf
option domain-name "example.com";
default-lease-time 600;
max-lease-time 7200;
ddns-update-style none;
authoritative;
subnet 172.16.0.0 netmask 255.255.255.128 {
option domain-name-servers 172.16.0.2, 10.250.0.5, 8.8.8.8;
option routers 172.16.0.1;
option broadcast-address 172.16.0.127;
}
host DNS {
hardware ethernet 18:03:73:28:00:35;
fixed-address 172.16.0.2;
}
host webserver {
hardware ethernet 00:25:64:E6:FD:CF;
fixed-address 172.16.0.3;
}
host safe-dhcp {
hardware ethernet DC:A6:32:44:A2:58;
fixed-address 172.16.0.4;
}
Everything ns (172.16.0.2)
user@ns:~$ ping google.com
ping: google.com: Temporary failure in name resolution
user@ns:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 18:03:73:28:00:35 brd ff:ff:ff:ff:ff:ff
altname enp0s25
inet 172.16.0.2/25 brd 172.16.0.127 scope global dynamic noprefixroute eno1
valid_lft 509sec preferred_lft 509sec
inet6 fe80::1a03:73ff:fe28:35/64 scope link
valid_lft forever preferred_lft forever
user@ns:~$ ip r
default via 172.16.0.1 dev eno1 proto dhcp metric 100
172.16.0.0/25 dev eno1 proto kernel scope link src 172.16.0.2 metric 100
DNS files
/etc/bind/named.conf.options 10.150.0.5 is a dns server which is tested to work on the lab.
options {
listen-on port 53 { localhost; 172.16.0.2; };
directory "/var/cache/bind";
allow-query { any; };
allow-transfer { any; };
forwarders { 10.250.0.5; };
forward only;
};
acl private { localhost; 172.16.0.0/25; 172.16.1.0/25; };
acl public { 10.100.7.0/24; 10.250.0.0/16; };
/etc/bind/named.conf.local
view private {
match-clients { private; };
zone "." {
type hint;
file "/usr/share/dns/root.hints";
};
zone "example.com" IN {
type master;
file "/etc/bind/db.example.com";
allow-update { none; };
};
zone "3.200.10.in-addr.arpa" IN {
type master;
file "/etc/bind/db.10.200.3";
allow-update { none; };
};
};
view public {
match-clients { public; };
zone "example.com" IN {
type master;
file "/etc/bind/db.public.example.com";
allow-update { none; };
};
zone "0.16.172.in-addr.arpa" IN {
type master;
file "/etc/bind/db.172.16.0";
allow-update { none; };
};
};
/etc/bind/db.example.com
$TTL 1h
@ IN SOA dns-example.com. [email protected]. (1234 1H 1800 60 30)
@ IN NS dns-example.com.
gw IN A 172.16.0.1
ns IN A 172.16.0.2
www IN A 172.16.0.3
mail IN A 172.16.0.3
safe IN A 172.16.0.4
@ IN MX 10 mail
/etc/bind/db.public.example.com
$TTL 1h
@ IN SOA dns-example.com. [email protected]. (1234 1H 1800 60 30)
@ IN NS dns-example.com.
gw IN A 10.200.3.1
ns IN A 10.200.3.2
www IN A 10.200.3.2
mail IN A 10.200.3.2
safe IN A 10.200.3.2
@ IN MX 10 mail
/etc/bind/db.10.200.3
$TTL 1h
@ IN SOA dns-example.com. [email protected]. (1234 1H 1800 60 30)
@ IN NS dns-example.com.
1 IN PTR gw.example.com.
2 IN PTR ns.example.com.
3 IN PTR www.example.com.
3 IN PTR mail.example.com.
4 IN PTR safe.example.com.
/etc/bind/db.172.16.0
$TTL 1h
@ IN SOA dns-example.com. [email protected]. (1234 1H 1800 60 30)
@ IN NS dns-example.com.
1 IN PTR gw.example.com.
2 IN PTR ns.example.com.
3 IN PTR www.example.com.
3 IN PTR mail.example.com.
4 IN PTR safe.example.com.
nameserver 10.250.0.5
not:nameserver 172.16.0.2 nameserver 10.250.0.5
and it is now resolving to google.com a lot faster. It does not seem to have solved anything else, but a little progress atleast.